FC5, rpm-4.4.2-15.2, reproduced on x86_64 and i386, crashes when -qRp'ing some packages over URLs. It doesn't happen for all packages, but here's a reproducer: $ rpm -qRp http://dag.wieers.com/packages/mplayerplug-in/mplayerplug-in-3.25-1.fc2.rf.i386.rpm error: open of http://dag.wieers.com/packages/mplayerplug-in/mplayerplug-in-3.25-1.fc2.rf.i386.rpm failed: error: open of http://dag.wieers.com/packages/mplayerplug-in/mplayerplug-in-3.25-1.fc2.rf.i386.rpm failed: warning: _url_cache[0] 0x52f890 nrefs(5538079) != 1 (�T ) *** glibc detected *** /usr/lib/rpm/rpmq: double free or corruption (out): 0x0000003292344c60 *** ======= Backtrace: ========= /lib64/libc.so.6[0x329216d7a3] /lib64/libc.so.6(__libc_free+0x84)[0x329216d924] /usr/lib64/librpmio-4.4.so(XurlFree+0x2b0)[0x3e640311a0] /usr/lib64/librpmio-4.4.so(urlFreeCache+0x71)[0x3e64031e71] /usr/lib/rpm/rpmq[0x401e14] /lib64/libc.so.6(__libc_start_main+0xf4)[0x329211d084] /usr/lib/rpm/rpmq[0x4018e9] ======= Memory map: ======== 00400000-00403000 r-xp 00000000 08:03 12983851 /usr/lib/rpm/rpmq 00502000-00505000 rw-p 00002000 08:03 12983851 /usr/lib/rpm/rpmq 00505000-00568000 rw-p 00505000 00:00 0 [heap] 3291400000-3291419000 r-xp 00000000 08:03 10857947 /lib64/ld-2.4.so 3291519000-329151a000 r--p 00019000 08:03 10857947 /lib64/ld-2.4.so 329151a000-329151b000 rw-p 0001a000 08:03 10857947 /lib64/ld-2.4.so 3291600000-3291611000 r-xp 00000000 08:03 10857959 /lib64/libresolv-2.4.so 3291611000-3291711000 ---p 00011000 08:03 10857959 /lib64/libresolv-2.4.so 3291711000-3291712000 r--p 00011000 08:03 10857959 /lib64/libresolv-2.4.so 3291712000-3291713000 rw-p 00012000 08:03 10857959 /lib64/libresolv-2.4.so 3291713000-3291715000 rw-p 3291713000 00:00 0 3291800000-3291802000 r-xp 00000000 08:03 10857960 /lib64/libcom_err.so.2.1 3291802000-3291901000 ---p 00002000 08:03 10857960 /lib64/libcom_err.so.2.1 3291901000-3291902000 rw-p 00001000 08:03 10857960 /lib64/libcom_err.so.2.1 3292100000-329223f000 r-xp 00000000 08:03 10857948 /lib64/libc-2.4.so 329223f000-329233f000 ---p 0013f000 08:03 10857948 /lib64/libc-2.4.so 329233f000-3292343000 r--p 0013f000 08:03 10857948 /lib64/libc-2.4.so 3292343000-3292344000 rw-p 00143000 08:03 10857948 /lib64/libc-2.4.so 3292344000-3292349000 rw-p 3292344000 00:00 0 3292400000-3292402000 r-xp 00000000 08:03 10857953 /lib64/libdl-2.4.so 3292402000-3292502000 ---p 00002000 08:03 10857953 /lib64/libdl-2.4.so 3292502000-3292503000 r--p 00002000 08:03 10857953 /lib64/libdl-2.4.so 3292503000-3292504000 rw-p 00003000 08:03 10857953 /lib64/libdl-2.4.so 3292600000-3292680000 r-xp 00000000 08:03 10857949 /lib64/libm-2.4.so 3292680000-3292780000 ---p 00080000 08:03 10857949 /lib64/libm-2.4.so 3292780000-3292781000 r--p 00080000 08:03 10857949 /lib64/libm-2.4.so 3292781000-3292782000 rw-p 00081000 08:03 10857949 /lib64/libm-2.4.so 3292800000-3292811000 r-xp 00000000 08:03 12692506 /usr/lib64/libelf-0.119.so 3292811000-3292910000 ---p 00011000 08:03 12692506 /usr/lib64/libelf-0.119.so 3292910000-3292911000 rw-p 00010000 08:03 12692506 /usr/lib64/libelf-0.119.so 3292a00000-3292a57000 r-xp 00000000 08:03 12700271 /usr/lib64/libsqlite3.so.0.8.6 3292a57000-3292b57000 ---p 00057000 08:03 12700271 /usr/lib64/libsqlite3.so.0.8.6 3292b57000-3292b59000 rw-p 00057000 08:03 12700271 /usr/lib64/libsqlite3.so.0.8.6 3292e00000-3292e29000 r-xp 00000000 08:03 12700045 /usr/lib64/libbeecrypt.so.6.4.0 3292e29000-3292f28000 ---p 00029000 08:03 12700045 /usr/lib64/libbeecrypt.so.6.4.0 3292f28000-3292f2c000 rw-p 00028000 08:03 12700045 /usr/lib64/libbeecrypt.so.6.4.0 3293000000-3293014000 r-xp 00000000 08:03 12698008 Aborted (core dumped)
Created attachment 127795 [details] gdb backtrace from crash
The URL is returning 302, redirects not handled by rpm.
*** Bug 190010 has been marked as a duplicate of this bug. ***
*** Bug 152285 has been marked as a duplicate of this bug. ***
User pnasrat's account has been closed
Bug 190010 has some information that should be recorded here. For one thing, the bug happens when the remote repository does not respond. To trigger the bug, therefore, it is sufficient to do something like this: rpm -ivh http://rpm.nosuchorg.org/thereisnosuchpackage.rpm Here is what happens when that command is issued under valgrind (there is more output, but this is the important part for this bug): ==17800== Invalid free() / delete / delete[] ==17800== at 0x4905208: free (vg_replace_malloc.c:235) ==17800== by 0x385FB3124B: XurlFree (in /usr/lib64/librpmio-4.4.so) ==17800== by 0x385FB31E80: urlFreeCache (in /usr/lib64/librpmio-4.4.so) ==17800== by 0x4040DB: ??? (rpmqv.c:886) ==17800== by 0x33AC91D083: __libc_start_main (in /lib64/libc-2.4.so) ==17800== Address 0x8525F08 is 0 bytes inside a block of size 176 free'd ==17800== at 0x4905208: free (vg_replace_malloc.c:235) ==17800== by 0x385FB3124B: XurlFree (in /usr/lib64/librpmio-4.4.so) ==17800== by 0x385FB1D1B9: (within /usr/lib64/librpmio-4.4.so) ==17800== by 0x385FB1D524: davOpen (in /usr/lib64/librpmio-4.4.so) ==17800== by 0x385FB2697D: (within /usr/lib64/librpmio-4.4.so) ==17800== by 0x385FB26EA0: Fopen (in /usr/lib64/librpmio-4.4.so) ==17800== by 0x385FB30C65: urlGetFile (in /usr/lib64/librpmio-4.4.so) ==17800== by 0x35A9637B30: rpmInstall (in /usr/lib64/librpm-4.4.so) ==17800== by 0x404927: ??? (rpmqv.c:790) ==17800== by 0x33AC91D083: __libc_start_main (in /lib64/libc-2.4.so) which implicates the urlFree in davInit (rpmio/rpmdav.c) as the place where the first free() took place.
Reassigning to owner after bugzilla made a mess, sorry about the noise...
Moving to devel, FC5 is EOL. Rpm crashing on failure with neon transport is essentially the same in here and bug 190010, supporting redirects (which is the request here) is a different issue.
The crash has been fixed some time ago, additionally upstream rpm.org now supports redirects if the used helper does (curl etc do): $ ./rpmq -qpi http://dag.wieers.com/packages/mplayerplug-in/mozilla-mplayer-0.95-1.rhel2.1.dag.i386.rpm warning: http://dag.wieers.com/packages/mplayerplug-in/mozilla-mplayer-0.95-1.rhel2.1.dag.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6 Name : mozilla-mplayer Relocations: /usr Version : 0.95 Vendor: Dag Apt Repository, http://dag.wieers.com/apt/ Release : 1.rhel2.1.dag Build Date: Sun 01 Feb 2004 12:40:08 PM EET Install Date: (not installed) Build Host: localhost Group : Applications/Internet Source RPM: mozilla-mplayer-0.95-1.rhel2.1.dag.src.rpm Size : 198465 License: GPL Signature : DSA/SHA1, Tue 03 Feb 2004 12:12:31 PM EET, Key ID a20e52146b8d79e6 Packager : Dag Wieers <dag> URL : http://mplayerplug-in.sourceforge.net/ Summary : MPlayer plugin for Mozilla. Description : This package contains a plugin for the Mozilla browser that makes it possible to use the MPlayer movie player in Mozilla.